A framework for mastering heterogeneity in multi-layer security information and event correlation

Security Information and Event Management (SIEM) is a consolidated technology that relies on the correlation of massive amounts of security-relevant information in order to detect ongoing attacks and intrusions. This correlation process is usually fed with logs generated by network devices and equipment, thus proving to be ineffective against attacks that affect multiple domains (e.g. physical, logical) or different architectural levels (e.g. network, operating system, application) of a service infrastructure. To bridge the gap, we propose a flexible framework for event collection and correlation, namely the Generic Event Translator, which is able to process heterogeneous data and spot evidence of security issues by using complex event pattern detectors that correlate information from multiple architectural layers and domains of the monitored infrastructure. The framework has been integrated into the open-source SIEM OSSIM, and validated in two challenging case studies, namely a dam infrastructure control system and a mobile phone based payment service.